California Attorney General Rob Bonta, together with the California Privacy Protection Agency (CPPA) and attorneys general from Colorado and Connecticut, has launched a joint investigation into businesses that may not be honoring consumers’ requests to opt out of the sale or sharing of their personal information. The probe focuses on compliance with the Global Privacy Control (GPC), a browser setting or extension that automatically signals a consumer’s desire to stop companies from selling or sharing their data with third parties.
The coalition has sent letters to businesses suspected of failing to process GPC-based opt-out requests as required by law, asking them to come into immediate compliance. This action follows educational efforts on Data Privacy Day 2025 and builds on previous enforcement measures in California, including a $1.2 million settlement with Sephora regarding GPC compliance.
“Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request,” said Attorney General Rob Bonta. “Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers’ requests to stop selling their personal data and have asked them to immediately come into compliance with the law. California and our sister states are committed to continued collaboration to actively enforce consumers’ important privacy rights and are paying close attention to business compliance with the Global Privacy Control.”
“In Connecticut, you have the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising. And you can install a simple browser extension that indicates your choice to opt-out of this type of commercial tracking. While many businesses have been diligent in understanding these new protections and complying with the law, we are putting violators on notice today that respecting consumer privacy is non-negotiable,” said Attorney General William Tong.
“Collaboration with our partners in other states is essential to the CPPA’s work. We are proud to join this effort to ensure that consumers’ opt-out rights are honored, and we will continue working across jurisdictions to protect Californians’ privacy,” said Tom Kemp, the CPPA’s Executive Director.
Data collection online remains widespread; individuals generate significant amounts of digital information daily through website visits, app usage, clicks, purchases, location data transmission, among others. Businesses often use these details for profiling purposes or share them further downstream. Preventing unauthorized third-party access is considered an important step toward protecting consumer privacy.
Under California’s Consumer Privacy Act (CCPA), residents can direct companies not to sell or share their personal information. Once an opt-out request is made—either through GPC or directly via company websites—businesses must comply unless given explicit permission otherwise at least 12 months later.
Consumers can enable GPC using browser extensions or settings for automatic protection without needing separate requests for each site they visit. Alternatively, individuals may exercise their rights one business at a time by using clear “Do Not Sell or Share My Personal Information” links provided on company websites as required under state law.
If such links are missing or nonfunctional despite indications that data is being sold or shared, consumers can report violations through oag.ca.gov/report for review by authorities.
